urelas | 77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Size

438KB
MD5

b40e208afec48c1c8d1e41e87d015453
SHA1

56fedd2c3fa4b49bd550ef362180e8d7a26b334f
SHA256

77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09
SHA512

f104219b752306fe690607f2d123dd2d1604d6b36257eaebe58696bbd2beb2454b32b20c7779ce2a24af083ec2cc1744fe3e53323448430e39d88be9ffed0316
SSDEEP

6144:oo3wBi+1Py3V0a2WkRNgi3caOHO5NjEwwiYWB5mV4Pzw9ygibGGMM2:rKf1PyKa2H3hOHOHz9JQ6zB8

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.165

218.54.31.226

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	burea.exe

Executes dropped EXE 2 IoCs

pid	Process
2872	burea.exe
3640	vedee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	burea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vedee.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe
3640	vedee.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2872	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 1396 wrote to memory of 2872	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 1396 wrote to memory of 2872	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	83
PID 1396 wrote to memory of 3420	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	84
PID 1396 wrote to memory of 3420	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	84
PID 1396 wrote to memory of 3420	1396	77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe	84
PID 2872 wrote to memory of 3640	2872	burea.exe	102
PID 2872 wrote to memory of 3640	2872	burea.exe	102
PID 2872 wrote to memory of 3640	2872	burea.exe	102

C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe
"C:\Users\Admin\AppData\Local\Temp\77b779a9aa50c0351a69bbb94a1fd392357ee2449fd9233d8751e3eec54b8b09.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\burea.exe
  "C:\Users\Admin\AppData\Local\Temp\burea.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\vedee.exe
    "C:\Users\Admin\AppData\Local\Temp\vedee.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3640
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
18cf1d671fe761828e90f702d62429ba

SHA1
e2bde96e97376e360e63107ca7c97bae293545ca

SHA256
a84a755ffdbdaa156ddb7f8143e74d3f64e00de1c01cd0382c38a9b6eae0ad77

SHA512
42a26336d3c0c1184ad03c2987e18f331205a5df82babfbe4d13fa198066ca4bc8ee26543e3963878cb95a59191d8c477a3a975e0c8ea0cb2b31b24fa1202282

Download Submit
C:\Users\Admin\AppData\Local\Temp\burea.exe

Filesize
438KB

MD5
ffafa76a1e33476926fe06ef58ffbd54

SHA1
93452a473c163280f0c256113db4ed93f0667389

SHA256
5ec40c78ccdebc396b14f3ae009337ad494826757c25cf2700bc0077a88a9230

SHA512
b5c1ebeaaeda8120a396d39a84d1ce777855dd1d9122c2ae6b33dcd5b961e323af8bb4631fff9398af5a1694e6cbc06cf2fadf644391f6604e4ee5715d28825c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
d7e8abbcb0e1be726e2212f7ed3d23fe

SHA1
80ed971e0c8cdcf7bbc2609e1a63daa0b9318116

SHA256
9b2ba6a326f02f0b85d6d61de36327fdeb4be9e01268528abf12255b5a5c13cf

SHA512
a285752c3d2ed3f10a06a3cbce3d69eda5254acb6cda5a16e0e961a3fae3272feabe5c39bb6e48fa59c219ef30089975f43da1d2ac71b0562f2ab7fc90673c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vedee.exe

Filesize
230KB

MD5
2f75172d65ec6bf38f65d03ec3d56fc7

SHA1
cf6b30ea38286cbc62ef498e4cd7b6d08741f3a6

SHA256
3e90556321f66f6ee41e170bbb38cf412088ec84214b7d0677a4e050a6262bf8

SHA512
843ef29731ab5db703d6e3525dc291ca26e95ff7b9903ace2ee495a7117944ad8d4da052a2bac79ea47cba1b4dd96038298647c0620ed1626345c0fec26b6c7a

Download Submit
memory/1396-14-0x00000000005B0000-0x000000000061E000-memory.dmp

Filesize
440KB

Download
memory/1396-0-0x00000000005B0000-0x000000000061E000-memory.dmp

Filesize
440KB

Download
memory/2872-28-0x0000000000150000-0x00000000001BE000-memory.dmp

Filesize
440KB

Download
memory/2872-10-0x0000000000150000-0x00000000001BE000-memory.dmp

Filesize
440KB

Download
memory/2872-17-0x0000000000150000-0x00000000001BE000-memory.dmp

Filesize
440KB

Download
memory/3640-26-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/3640-27-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/3640-30-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/3640-31-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/3640-32-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/3640-33-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download
memory/3640-34-0x0000000000630000-0x00000000006CE000-memory.dmp

Filesize
632KB

Download